Added kms:GenerateDataKey action to KMSEncryptPolicy policy (#3657)

elmaimbo · Nick Tait · aaythapa · web-flow · commit 51b69948efa5 · 2024-11-03T23:57:03.000-08:00
Co-authored-by: Nick Tait &lt;nick.tait@global.ntt&gt;
Co-authored-by: Aayush thapa &lt;84202325+aaythapa@users.noreply.github.com&gt;
diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json
@@ -1275,6 +1275,38 @@
         }
       }
     },
+    "KMSEncryptPolicy_v2": {
+      "Definition": {
+        "Statement": [
+          {
+            "Action": [
+              "kms:Encrypt",
+              "kms:GenerateDataKey",
+              "kms:GenerateDataKeyWithoutPlaintext",
+              "kms:GenerateDataKeyPair",
+              "kms:GenerateDataKeyPairWithoutPlaintext"
+            ],
+            "Effect": "Allow",
+            "Resource": {
+              "Fn::Sub": [
+                "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
+                {
+                  "keyId": {
+                    "Ref": "KeyId"
+                  }
+                }
+              ]
+            }
+          }
+        ]
+      },
+      "Description": "Gives permission to encrypt with KMS Key",
+      "Parameters": {
+        "KeyId": {
+          "Description": "ID of the KMS Key"
+        }
+      }
+    },
     "KinesisCrudPolicy": {
       "Definition": {
         "Statement": [
diff --git a/tests/translator/input/all_policy_templates.yaml b/tests/translator/input/all_policy_templates.yaml
@@ -187,3 +187,6 @@ Resources:
 
       - StepFunctionsCallbackPolicy:
           StateMachineName: name
+
+      - KMSEncryptPolicy_v2:
+          KeyId: keyId
diff --git a/tests/translator/output/all_policy_templates.json b/tests/translator/output/all_policy_templates.json
@@ -1726,6 +1726,31 @@
               ]
             },
             "PolicyName": "KitchenSinkFunctionRolePolicy63"
+          },
+          {
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Action": [
+                    "kms:Encrypt",
+                    "kms:GenerateDataKey",
+                    "kms:GenerateDataKeyWithoutPlaintext",
+                    "kms:GenerateDataKeyPair",
+                    "kms:GenerateDataKeyPairWithoutPlaintext"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Sub": [
+                      "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
+                      {
+                        "keyId": "keyId"
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            "PolicyName": "KitchenSinkFunctionRolePolicy64"
           }
         ],
         "Tags": [
diff --git a/tests/translator/output/aws-cn/all_policy_templates.json b/tests/translator/output/aws-cn/all_policy_templates.json
@@ -1726,6 +1726,31 @@
               ]
             },
             "PolicyName": "KitchenSinkFunctionRolePolicy63"
+          },
+          {
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Action": [
+                    "kms:Encrypt",
+                    "kms:GenerateDataKey",
+                    "kms:GenerateDataKeyWithoutPlaintext",
+                    "kms:GenerateDataKeyPair",
+                    "kms:GenerateDataKeyPairWithoutPlaintext"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Sub": [
+                      "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
+                      {
+                        "keyId": "keyId"
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            "PolicyName": "KitchenSinkFunctionRolePolicy64"
           }
         ],
         "Tags": [
diff --git a/tests/translator/output/aws-us-gov/all_policy_templates.json b/tests/translator/output/aws-us-gov/all_policy_templates.json
@@ -1726,6 +1726,31 @@
               ]
             },
             "PolicyName": "KitchenSinkFunctionRolePolicy63"
+          },
+          {
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Action": [
+                    "kms:Encrypt",
+                    "kms:GenerateDataKey",
+                    "kms:GenerateDataKeyWithoutPlaintext",
+                    "kms:GenerateDataKeyPair",
+                    "kms:GenerateDataKeyPairWithoutPlaintext"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Sub": [
+                      "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
+                      {
+                        "keyId": "keyId"
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            "PolicyName": "KitchenSinkFunctionRolePolicy64"
           }
         ],
         "Tags": [
